Raised This Month: $51 Target: $400
 12% 

Rcon locker / exploit fix


  
 
AlliedModders Forum Index > SourceMod > Plugins > Unapproved Plugins
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Author
devicenull
Veteran Member
Join Date: Mar 2004
Location: CT
Plugin ID:
917
Plugin Version:
0.6.7
Plugin Category:
General Purpose
Plugin Game:
Any
Plugin Dependencies:
    Servers with this Plugin:
    66 
    Plugin Description:
    Lock rcon password / prevent some exploits
    Unapprover:
    Reason for Unapproving:
    Causes issues with SM command permissions - also entirely(?) unnecessary nowadays
    Old 06-04-2009 , 14:53   Rcon locker / exploit fix
    		Reply With Quote #1
    This plugin will prevent your rcon password from being changed. It uses whatever password you have set in server.cfg, and resetting the password will require the server to be updated in server.cfg, and then restarted.

    This fixes the following exploits:
    • Executing harmful commands via ent_fire/ent_create if cheats are on
    • Around 10 or so commands that can be used to lag the server (adds the cheats flag to them)
    • Loading plugins clientside, allowing you to use cheat commands
    • Clients would be able to teleport, regardless of cheats/plugins on server.
    • If Mani is detected, spammable commands will be blocked (this will break nextmap functionality, but its either that or risk server crashes)
    • Es_tools changelevel exploit
    • Cvar bounds are removed on sv_rcon_minfailures and sv_rcon_maxfailures. These are also set to 10,000 if they are not changed in your config file.
    • "unnamed" users will be kicked once they join.
    • Users with bell or % characters will be kicked when they join
    • Commands executed before a client has connected will be blocked.
    • Prevent logging from being disabled, if it is ever enabled while the plugin is active.
    • All commands on the server will be logged by default.

    No configuration is needed for this plugin.

    Note:This will leave your server vulnerable to brute force attacks, though that's easily fixed.. just use a secure rcon password. This was necessary to prevent a server crash that happens when a user is banned from accessing rcon.

    To generate a secure rcon password go here. These passwords are randomly generated and change each time you refresh the page. If you use these, there are 62^24 possible passwords, so they won't be brute forced any time soon.

    Donate

    If you wish to disable the command logging functionality, create a file in addons/sourcemod/configs named rcon_lock.cfg. It doesn't matter what this file contains, as long as it exists it will be disabled.

    I didn't want to add the ability to disable command logging as a cvar, as many rcon "hack" scripts already attempt to disable normal logs. Unless you are running old eventscripts plugins, you can safely leave command logging enabled.

    If you are running 1.3 or higher, you want the "rcon_lock" plugin.

    If you are running under 1.3, you want the "rcon_lock_legacy" plugin, or to upgrade sourcemod. Note that the legacy plugin is no longer being updated.
    Attached Files
    File Type: sp Get Plugin or Get Source (rcon_lock.sp - 22133 views - 13.2 KB)
    File Type: sp Get Plugin or Get Source (rcon_lock_legacy.sp - 7843 views - 10.4 KB)
    __________________
    Various bits of semi-useful code in a bunch of languages: http://code.devicenull.org/
    Last edited by devicenull; 06-01-2010 at 20:52.
    devicenull is offline
     

    « Previous Thread | Next Thread »


    Posting Rules
    You may not post new threads
    You may not post replies
    You may not post attachments
    You may not edit your posts
    BB code is On
    Smilies are On
    [IMG] code is On
    HTML code is Off
    Forum Jump


    All times are GMT -4. The time now is 22:34.

    DMCA - Archive - Top

    Powered by vBulletin®
    Copyright ©2000 - 2024, vBulletin Solutions, Inc.
    Theme made by Freecode